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[57] ABSTRACT 

A method is provided for securing stored files in a system 
having a plurality of system users with each system user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion. Each 
public key portion is accessible to the plurality of system 
users. Each private key portion has a first private key portion 
known only to the associated user and a corresponding 
second private key portion known only to a security server. 
Data to be stored is identified A syrnmetric crypto-key is 
encrypted with only the second private key portion of a first 
user crypto-key to form an encrypted key message, thereby 
restricting access to the symmetric crypto-key to only the 
first user. The symmetric crypto-key is obtained by the first 
user by applying the first private key portion of the first user 
crypto-key to decrypt the encrypted key message. The first 
user encrypts the data with the symmetric crypto-key to 
form an encrypted file, and stores the encrypted file and the 
encrypted key message. 

24 Claims, 8 Drawing Sheets 
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SECURING E-MAIL COMMUNICATIONS 
AND ENCRYPTED FILE STORAGE USING 
YAKSHA SPLIT PRIVATE KEY 
ASYMMETRIC CRYPTOGRAPHY 

RELATED APPLICATIONS 

This application is a continuation-in-part of application 
Ser. No. 08/277376 filed Jul. 18, 1994 now U.S. Pat No. 
5,557,678 and a continuation-in-part of 08/338.128, filed 
Nov. 9, 1994 now U.S. Pat. No. 5 .535.276, 

FIELD OF THE INVENTION 

The present invention relates generally to securing com- 
munications and stored files using cryptography. More 
particularly, the present invention provides secure electronic 
mail communications, such as INTERNET e-mail, and 
electronic data storage using asymmetric crypto-keys. 

BACKGROUND ART 

Cryptosystems have been developed for m ai n ta inin g the 
privacy of information transmitted across a communications 
channel. Often, a symmetric crypt osystem is used for this 
purpose. Symmetric cryptosystems. which utilize electronic 
keys, can be likened to a physical security system where a 
box has a single locking mechanism with a single key hole. 
One key holder uses his/her key to open the box, place a 
message in the box and relock the box. Only a second holder 
of the identical copy of the key can unlock the box and 
retrieve the message. The term symmetric reflects the fact 
that both users must have identical keys. 

In more technical terms, a symmetric cryptosystem com- 
prises an encryption function E, a decryption function D, 
and a shared secret-key, K. The key is a unique string of data 
bits to which the functions are applied. 1\vo examples of 
encipherment/deciphermeat functions are the National 
Bureau of Standards Data Encryption Standard (DES) and 
the more recent Fast Endpherment Algorithm (FEAL) . To 
transmit a message, M, in privacy, the sender computes C=E 
(M,K) } where C is referred to as the ciphertcxt Upon receipt 
of C, the recipient computes M=D (CK), to recover the 
message M. An eavesdropper who copies C, but does not 
know K, will find it practically irnpossible to recover M. 
Typically, all details of the enciphering and deciphering 
functions, E and D, are well known, and the security of the 
system depends solely on maintaining the secrecy of key, K. 
Conventional symmetric cryptosystems are fairly efficient 
and can be used for encryption at fairly high data rates, 
especially if appropriate hardware implementations are 
used. 

Asymmetric cryptosystems, often referred to as public 
key cryptosystems, provide another means of encrypting 
information. Such systems differ from symmetric systems in 
that, in terms of physical analogue, the box has one lock with 
two non-identical keys associated with it For example, in an 
RSA system, either key can be used to unlock the box to 
retrieve a message which has been locked in the box by the 
other key. However, the system could be limited to using the 
keys in a particular sequence, such that the box can only be 
locked with the one key and unlocked with the other key. 

In public key electronic cryptosystems, each entity, has a 
private key, d, which is known only to the entity, and a 
public key. En, which is publicly known. Once a message is 
encrypted with a user's public-key, it can only be decrypted 
using thai user's private-key, and conversely, if a message is 
encrypted with a user's private-key, it can only be decrypted 
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using that user's public-key. It will be understood by those 
familiar with the art that although the terms "encrypt" and 
"decrypt" and derivations thereof are used herein in describ- 
ing the use of public and private keys in an asymmetric 

5 public key cryptosystem, the term * 'transform" is commonly 
used in the art interchangeably with the term "encrypt** and 
the term "invert" is commonly used in the art interchange- 
ably with the term "decrypt". Accordingly, as used herein in 
describing the use of public and private keys, the term 
•transform" could be substituted for the term "encrypt" and 

10 the term "invert" could be substituted for the term "decrypt". 
If sender x wishes to send a message to receiver y, then 
x, "looks-up" y's public key En, and computes M^Ce,) 
and sends it to y. User y can recover M using its private-key 
dy, by computing C=DQAA y ). An adversary who makes a 

15 copy of C, but does not have d > , cannot recover M However, 
public-key cryptosystems are inefficient for large messages. 

Public-key cryptosystems arc quite useful for digital 
signatures. The signer, x, computes S=E(M,d JC ) and sends 
[M,S1 to y. User y "looks-up** x*s public-key e^ and then 

20 checks to see if M=D(S,eJ. If it does, then y can be 
confident that x signed the message, since computing S, such 
that M^DCS.eJ, requires knowledge of d^ x's private key, 
which only x knows. 
Public-key cryptography also provides a convenient way 

25 of rttrfanning session key exchange, after which the key that 
was exchanged can be used for encrypting messages during 
the course of a particular communications session and then 
destroyed, though this can vary depending on the applica- 

30 ti ° n> 

One public key cryptographic system is the Rivest, 
Shamir. Adleman (RSA) system, as described in Rivest, 
Shamir and Adleman, "A Method of Obtaining Digital 
Signatures and Public Key Cryptosystems", CACM, Vol 21, 

35 pp 120-126, February 1978. RSA is a public-key based 
cryptosystem that is believed to be very difficult to break. In 
the RSA system the pair (c^, is user i's public-key and d, 
is the user's private key. Here N^=pq, where p and q are large 
primes. Here also e,d^lmod<KN,), where <|>(N J )=<p-l) (q-1) 
which is the Euler Toitient function which returns the 
number of positive numbers less than N ( , that are relatively 
prime to N,. A Carmichael function is sometimes used in lieu 
of a Euler Toitient function. 
To encrypt a message being sent to user j, user i will 

45 compute OM^modn, and send C to user j. User j can then 
perform M^^modnj to recover M. User i could also send 
the message using his signature. The RSA based signature of 
user i on the message, M, is M 4 modN i . The recipient of the 
message, user j, can perform modN^inodN,, to 

x verify the signature of i on M. 

In a typical mode of operation, i sends j, N^modN, along 
with M and a certificate C^i.e^ (^roodN^, where C is 
generated by a Certificate Authority (CA) which serves as a 
trusted off-line intermediary. User j can recover i's public 

53 key from C, by performing C^raodN CA . as e CA and N c ^ 
are universally known. It should also be noted that in an RSA 
system the encryption and signatures can be combined. 

Modifications to RSA systems have been proposed to 
enable multi-signatures to be implemented. Such an 

60 approach is described in "Digital Multisignature", C. Boyd, 
Proceedings of the Inst of Math, and its Appl. on Cryptog- 
raphy and Coding, Dec. 15-17, 1986. The proposed 
approach extends the RSA system by dividing or splitting 
the user private key d into two or more portions, say d a and 

65 d fr , where d/d A =d. 

An improved system using split key public encryption has 
been disclosed, see U.S. patent application Scr. No. 08/277, 
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808 filed od Jul. 20. 1994 for Y, Yacobi and R. Ganesan Network Authentication Service", INTERNET RFC 1510. 

entitled **A System and Method for Identity Verification, September 1993, which is based on the classic Needham- 

Forming Joint Signatures and Session Key Agreement in an Schroeder authentication protocols, Needham, R. M. and 

RSA Public CryptosystenT. The described system and Schroeder M. D„ "Using Encryption for Authentication in 

method, allow two system users to verify each other's 5 Large Networks of Computers", Communications of the 

identity, form a joint signature and establish and distribute a ACM, v. 21. n. 12, Dec. 1978, with extensions by Denning- 

session key in an RSA environment Sacco, D. E. Denning and G. M. Sacco, 'Time stamps in Key 

The system developed by Yacobi and Ganesan provides Distribution Protocols.* Communications of the ACM, v. 24. 

significant benefits where no intermediary between the users n. 8, Aug. 8 1 . pp. 553-536. The system uses a trusted third 

needs to be empowered with the ability to ease drop on 10 party model to perform authentication and key exchange 

encrypted communications, However, in practical systems, between entities in a networked environment, for example, 

it is often desirable or required, for reasons other than over a local or wide area network. Kerbcros uses symmetric 

security, that an intermediary with such power be placed key cryptosystems as a primitive, and initial implementa- 

between the users. Such an intermediary can provide a tions use the Data Encryption Standard (DES) as an interop- 

central point of audit and service cancellation, as well as 15 crability standard, though any other symmetric encryption 

other benefits. For example, public subscription systems, standard can be used. After close to a decade of effort the 

such as INTERNET electronic mail systems, will normally Kerberos authentication system is now a fairly mature 

have a central intermediary empowered to monitor the system whose security properties have held up fairly well to 

access of a subscriber and terminate access should a sub- intense scrutiny. Further, vendors are now delivering Ker- 

scriber fail to pay his monthly access fee. 20 beros as a supported product Kerberos has also been 

"A Secure Joint Signature and Key Exchange System", adopted as the basis for the security service by the Open 
Bellcore Technical Document see also U.S. patent applica- Software Foundation's (OSF) Distributed Computing Envi- 
tion Ser. No. 08/277,808 filed on Jul. 20, 1994, now U.S. Pat ronment (DCE). Consequently, Kerberos can be expected to 
No. 5,588,061 which is also assigned to the assignee of the be among the most widespread security systems used in 
present apptfeation, modified Boy ds system, and made four 25 distributed environments over the next several years, 
significant additional points regarding split private key For the sake of clarity, a "simplified" version of the 
asymmetric cryptosystems. Although specifically applied to Kerberos protocol described by Neuman and Ts'o in 
the two party case, the findings can be utilized more gen- Neuman, B. C. and Ts'o, T., "Kerberos: An Authentication 
eraliy. The first point is mat, assuming all operations are Service for Computer Networks**, IEEE Communications, 
modulo N, breaking the joint signature system is equivalent 30 September 1994, will be discussed below. The complete 
to breaking RSA. This is true whether the attacker is an protocol is described in Kohl, J. T. and Neuman, B. C. 'The 
active or passive eavesdropper or one of the system users. It Kerberos Network Authentication Service", INTERNET 
is assumed that key generation is conducted by a trusted RFC 1510, September 1993. Further, the following discus- 
third party, for example a tamper proof chip, and the factors sion is based on Neuman, B. C. and Ts*o, T M "Kerber os: An 
of the RSA modulus N and <«N) are discarded after key 35 Authentication Service for Computer Networks", IEEE 
generation and not known to any of the system users. The Communications, September 1994, and for the sake of 
second point is the description of the following key consistency uses almost me same notation. The fund 
exchange protocol: User 1 sends c^m** to User 2. User 2 message exchanges are shown in FIG. 1. In message 1 the 
recovers m 1 =c 1 d2 '. Similarly User 2 transmits m 2 to User 1. user uses a personal computer or workstation 10 to request 
Each user then coinputes m=j'(m 1 ,m 2 ), where f is a function 40 a ticket granting ticket (TGT) from an authentication/ 
like XOR. Page and Plant prove mathematically that break- security server (AS) 20. The server 20 creates such a ticket 
ing this scheme is equivalent to breaking RSA. Again this is TOT, looks up the user's password from the Kerberos 
true whether the attacker is an active or passive eavesdrop- database 30, encrypts the TGT with the password and sends 
per or one of the system users. The third point is the it to the user via the computer 10 in message 2. The user 
introduction of the concept that one of the two users is a 45 fccryr^meTCTwim her password usm^ and 
central server which maintains one portion of every user's stores the TGT on computer 10, far example on a hard disk 
RSA private key. In order to sign a message the user must or in the random access memory (RAM) . Then, when the 
interact with this server which, it is shown, cannot imper- user desires to access a service, she sends message 3. which 
sonate the user. Having to interact with such a central server contains the TGT to the ticket granting server 40. The server 
has several important practical advantages* including instant 50 40 verifies the TGT and sends back, in message 4, a service 
revocation without difficult to maintain Certificate Revoca- ticket to access the service server 50, and a session key, 
tion lists (CRL), Kent, S M "Privacy Enhancement for Inter- encrypted with the user's password retrieved from database 
net Electronic Mail: Part II: Certificate Based Key 30. In message 5 the user presents via computer 10 the 
Management", INTERNET RFC 1422, Feb. 1993, a central service ticket to the server 50, which verifies it and also 
point for audit, and a way of providing for digital signatures 55 recovers the session key from it. If mutual authentication is 
in an era where smart cards are not yet ubiquitous. Finally, required, the server 50, in message 6, sends back a message 
the paper also proves mathemarically that even if one of the encrypted with the session key. All communications 
two portions, d A and tt^, of the private key, d is short, say 64 between servers 20, 40 and 50 and computer 10 are via 
bits, an eavesdropper will have equal difficulty breaking the network 60, e.g. the INTERNET. All communications 
split key system as would be experienced in breaking RSA. « between servers 20 and 40 and database 30 are preferably by 
As a consequence, a digital signature infrastructure can be direct communications link. 

built where users who remember short eg., 8-9 characters, An improved Kerberos type system is described in U.S. 

passwords, can interact with the central server to create RSA patent application Ser. No. OS/338,128 filed on Nov. 9, 1994, 

signatures which are indistinguishable from those created now U.S. Pat. No. 5,535,276 entitled "YAKAHA, an 

using a full size private key stored on a smart card 65 Improved System and Method for Securing Communica- 

One symmetric cryptosystem is the Kerberos authentica- tions Using Split Private Key Asymmetric Cryptography'*, 

tion system. Kohl. J. T and B. C. Neuman, *The Kerberos which is also assigned to the assignee of the present appli- 
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cation and incorporated herein by reference. The described herein and with respect to which the invention could be of 

system provides for secured communications in a way in significant utility. 

which the compromise of a central database, such as the « IIMMABY nF ™vPNTrnM 

secured database in a conventional Kerberos system, will SUMMARY OF THE INVENTION 

not be catastrophic to the overall system security. The 5 According to the present invention, in a system having a 

system is also less vulnerable to dictionary attacks than plurality of system users, each user has an associated asym- 

convcntional systems and provides a way for one user to metric crypto-key with a public key portion and a corre- 

authenticate itself to another user. The described system sponding private key portion. Each public key portion is 

facilitates digital signatures being placed on a message and accessible to the plurality of system users. The private key 

thereby provides for non-repudiation. Additionally the sys- 10 portion of at least some of the users has a first private key 

tern can be implemented to enhance security in conventional portion known only to the associated user and a correspond* 

Kerberos systems with minimum changes to the standard ing second private key portion known only to a security 

Kerberos protocol and is compatible with the use of "smart server. The private key portion of other users is known only 

cards*. Finally* the described system allows the reuse of an to the associated user. 

authentication infrastructure for digital signatures. 15 j 0 secure stored files, the data to be stored on a file server 

Another system having central server is describe in U.S. is first identified by a user and forwarded to a file server or 

patent application Scr. No. 08/277,376 filed on Jul* 18. 1994; other storage device. A symmetric crypto-key is encrypted j 

now U.S. Pat No. 5,557,678 entitled "A System and Method by the security server, or other central security authority, 

for Centralized Session Key Distribution, Privacy Enhanced with the second private key portion of the file server's 

Messaging and Information Distribution Using A Split Pri- 20 crypto-key, to form an encrypted key messagc^fhis ensurcsj 

vate Key Public CryptosystcnT, which is also assigned to that only the appropriate file server will have access to the 

the assignee of the present application and incorporated symmetric crypto-ke^The encrypted key message is for-i 

herein by reference. The described system uses split private warded to the user f oflorwarding along with the data to the I 

key public encryption to provide automatic identity verifi- appropriate file server. 

cation by a central intermediary prior to any information 25 The file server can obtain the syrnm^irk a>^o-ke^ by 

being exchanged. Additionally, the described system ensures applying the firS^riyatcJ^y portion of the file server's 

that the users are authorized before a cornmunicarions crypto-key to SeCT^OnTenaypted key message. The file 

session is established. The system facilitates the distribution server can now encrypt the identified data with the symrnet- 

of session keys, and the proper authorization and implemen- n C crypto-key to form an encrypted file, and store the I 

tation of wire taps. The described system can additionally 30 encrypted file and the encrypted key message on an asso- 1 

provide privacy enhanced messaging and is particularly dated memory device. 

suitable for the secure distribution of video, data and other ff ^ user ^sires to retrieve the stored data, a retrieve file 

messages. request is first eiicrypted by the user with the first private key 

Although the above systems provide a great deal of portion of the user's crypto-key to form a first encrypted 

security and flexibility, problems still exist in exchanging retrieve file request This authenticates the user's request, 

symmetric session crypto- keys between users of virtual area The security server obtains the retrieve file request by 

networks, such as the INTERNET, who utilize different applying the second private key portion of the user's crypto- 

cryptosystems. For example, although the users who will key to the first encrypted retrieve file request The first 

participate in a communications session may all have an ^ encrypted retrieve file request may be encrypted by the 

assigned private/public key pair, Le are all part of an security server with the* second private key portion of the 

asymmetric cryptosystem, only some of the user's may have user's crypto-key to form a second encrypted retrieve file 

a split private key, Le, are part of an asymmetric split key request This authenticates the user's request. The second 

cryptosystem. Further, because virtual area networks have encrypted retrieve file request is forwarded to the file server, 

open access, data stored on file servers and other storage ^ The retrieve file request is obtained by the file server by 

devices directly or indirectly connected to such networks is applying the public key portion of the user's crypto-key to 

extremely vulnerable to security breaches and attack. decrypt the second encrypted retrieve file request Respon- 

nttrF-rrvFS OF ^ invention sivc to mc request ' ^ me scrverrctricvcs «cryp ted ^ 

OBJECTIVES OF THE INVENTION ^ fte encrypted tev mcssagc from storage. The file server 

Accordingly, it is an object of the present invention to 50 obtains the symmetric crypto-key by applying the first 

provide for exchanges of symmetric session crypto-keys private key portion of the file server's crypto-key to decrypt 

between users of virtual area networks, such as the the retrieved encrypted key message. The file server then 

INTERNET, who utilize different crypto-sy stems. obtains the requested data by applying the symmetric 

It is a further object of the present invention to provide crypto-key to decrypt the retrieved encrypted file. The file 

enhanced security for data stored on file servers and other 55 server directs the data to the requesting user, 

storage devices directly or indirectly connected to such If desired, the security server may also encrypt the 

networks. retrieve file request with the second private key portion of 

The advantages and novel features of the present inven- the file server's crypto-key to form the second encrypted 

tion will become apparent to those skilled in the art from this retrieve file request In such a case, the file server obtains the 

disclosure, including the following detail description, as 60 retrieve file request by additionally applying the first private 

well as by practice of the invention. While the invention is key portion of the file server's crypto-key to decrypt the 

described below with reference to preferred ernrxxbinents, it second encrypted retrieve file request, 

should be understood that the invention is not limited Each key portion has a bit length and preferably the bit 

thereto. Those of ordinary skill in die art having access to the length of each first private key portion is smaller than the bit 

teachings herein will recognize additional applications, 65 length of the associated second private key portion, 

modifications and enibodiments in other fields, which are Beneficially, the bit length of each first private key portion 

within the scope of the invention as disclosed and claimed is between 56 and 72 bits. Further, each private key portion 
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is comprised of a private exponent and modulus N which is FIG. 7 is a exemplary block diagram of the computer 

a product of a plurality of numbers within a set of large depicted in FIG. 6. 

prime numbers. Each public key portion is comprised of a piq. g depicts a computer suitable far use as the security 

public exponent and the modulus N. Advantageously, the scrvcr depicted in FIG. 2. 

modulus N has a bit length and the bit length of each private 5 m 9 . $ & ^ block of me computcr 

key portion is no larger than fifteen percent of the bit length . . . . . „ 

of the modulus N but not less than 56 bits. , 

In accordance with other aspects of the invention, session WO- " depicts a computer suitable for use as the file 

key distribution is facilitated between a first user having a scrvcr depicted in Fib. 2. 

first private key portion known only to the first user and a 10 FIG. 11 is a exemplary block diagram of the computer 

corresponding second private key portion known only to the depicted in FIG. 10. 

security server and a second user having a private key ™ MnnR rAUPvr\rr, mrrTHF 

portion known only to the second user. ie. the second user's BE^ MODE TOR^^YING OUT THE 
private key is not split. To accomplish session key 

distribution, the first user encrypts a session key request with l$ It should also be understood that the crypto-keys are 
the first private key portion of the user's crypto-key to form created, as in any public-key crypt osystem, in accordance 
a first encrypted message. The security server decrypts the with the established policy. The creation and issuance of 
first encrypted message by applying the first user's second asymmetric crypto-key could, for example, be performed by 
private key portion to thereby obtain the session key request an organization's Security Department, perhaps the same 
The security server then encrypts a symmetric crypto-key ^ organization that issues Photo ID's, using a terminal con- 
wirh the second private key portion of the first user crypto- nected to a secure computer (e.g. a computer or processor 
key to form a first encrypted key message. The security with a tamper proof chip). A user could access this terminal^ 
server also encrypts the symmetric crypto-key with the enter her or his name, etc. This information is certified by a 
public key portion of the second user's crypto-key to form security officer, whose password or private key the computer 
a second encrypted key message. M knows. The computer then creates an RSA or other public- 
ise first user decrypts the first encrypted key message by private key pair, prompts the user for a password, which 
applying the first user's first private key portion to obtain the becomes the user's portion of the RSA private key. The 
symmetric crypto-key. The second user decrypts the second computer computes the portion of the user's private key 
encrypted key message by applying the private key portion which is stored in a secured database, referred to as the 
of the second user's crypto-key to obtain the symmetric ^ Yaks ha database. If the computer is also the security server 
crypto-key. Accordingly, both users now have access to the acting as the certifying authority, it preferably computes the 
symmetric crypto-key which will serve as the session key user's certificate. Any other user can obtain the user's public 
for encrypting and decrypting cornmunications between the key by applying the certifying authorities public key to the 
ugggg user's certificate. This is a simplification of the complex 
Each user station, including the file servers), and the 3J structure of an actual certificate but is sufficient for purposes 
security server will typically be represented by a computer of this discussion, Kent S., "Privacy Enhancement for 
which is driven by programming instructions stored on an Internet Electronic Mail: Part II: certificate Based Key 
associated compter readable storage medium to operate in Management", INTERNET RFC 1422, Feb. 1993. 
the described manner. The computer could be a personal Once smart cards are ubiquitous, the user-password may 
computer, work station, mini-computer, main frame com- 40 become irrelevant and the security server can download the 
puter or any other computing device with sufficient power to user's (long) private key directly to a smart card. No method 
perform in accordance with the invention. The computer of key generation is critical to the functioning of the present 
readable storage could be a hard or floppy disk, CD, ROM, invention, hence the above is only meant to be one possible 
RAM, DRAM, SRAM, EPROM or other memory device, scenario. Since the present invention is not vulnerable to the 
including electrical, magnetic and optical memory. Storage 45 some of the attacks which conventional Kerberos systems 
media associated with each user station or file server may be are vulnerable to, the user's private key utilized in accor- 
adapted to store the first private key portion of the user dance with the present invention will have a longer useful 
crypto-key. If the user does not have a split private key, the life than in Kerberos. 

storage media will typically store the private key portion of ft will be understood mat a user may be a person or entity, 

the user's crypto-key. Storage media associated with the 50 a server or processor, or a system device such as a switch in 

security server will typically store the second private key a communications network. Preferably, for every user, there 

and/or the public key portion of each user's crypto-key. exists a first private asymmetric crypto-key portion known 

BRIEF DESCRIPTION OF THE DRAWINGS °^ to * e ? scr < ic " ^user's private key is split and the 

user maintains only a portion of the private key. However, 

FIG. 1 is a diagram of a conventional Kerberos authen- J5 for me faresecab i e future this is unlikely to be the case. For 

tication system, those user's having a split private key, a second private 

FIG. 2 is a diagram of a Yaksha system according to the crypto-key portion, i.e. the remainder of the user's private 

present invention. key, is stored on a secured database, ie. the Yaksha database. 

FIG. 3 is a flow diagram illustrating the steps for session Certificates exist on a ratifying authority's server. Ie., the 

key exchange in accordance with the present invention. ^ security server which is sometimes also referred to as the 

FIG. 4 is a flow diagram illustrating the steps for encrypt- authentication server, and possibly on other servers and user 

ing stored data in accordance with the present invention. processors, and every user knows the certifying authority's 

FIG. 5 is a flow diagram illustrating the steps for retriev- public key. All other intermediate key generation informa- 

ing encrypted stored data in accordance with the present tion has been destroyed, preferably within the safe confines 

invention. 65 of the tamper proof chip used to generate the crypto-keys. 

FIG. 6 depicts a computer suitable for use as a client Both the private and public encryption keys are typically 

station depicted in FIG. 2. generated using a private exponent and a modulus N which 
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is the product of a large number of prime numbers. It is the first user's public key to form a first encrypted session 

preferable that the length of the portion of the divided key. In step 250, the security server 120 retrieves the second 

private encryption key which is maintained by the user be user's public key from the Yaksha database 130 and encrypts 

substantially smaller than the modulus N value. It is further the session key with the second user's public key to form a 

preferred that the user portion of the divided private encryp- 5 second encrypted session key. The first encrypted session"! 
tion key be no larger than 15% of the length of the modulus ani i the second encrypted session key are transmitted as 

N but not less than 56 bits. If the modulus N is 5 12 bits in message 2' to the client station 110 in step 260. The clieolJ 

length and, the user portion of the private encryption key sta tion 110 decrypts the first encrypted session key with the 

must be memorized by the user or stored in a personal ^ poJt i OD 0 f me firsf user's private key in step 270. 

communications device, the user's portion of the divided {Q Acccrdtogly, me first user now has access to the session key. 
private encryption key is preferably between 56 and 72 bits. _ ' . . . j . • ■ 

The preset invention wUl now be described with refer- * » ™«V » generated enacted *J 

ence to HGS. W. FIG. 2 is an exemplary embodiment of »«■*» ™ with thesession key. TTie encrypted message and 

a system and FIGS. 3-5 illustrate fcelteps performed by the *e second encrypted session key are coiiimunicated via the 

various system components to provide encrypted rile storage network 60. as message 3 . to client station 140 u istep 285 

and session key exchange in accordance with the present 15 The client station 140, in step 290, decrypts the second 

invention encrypted session key with die second user's private key, 

Referring first to FIG. 2, the user on client station 110, thereby providing the second user with access to the session 

who will be referred to below as the first user, has a split key. step 2»5, the client station 140 applies the session 

private key with the second portion of the private bey key to decrypt the encrypted message from the first user. The 

retained in the Yaksha database 130. The user on client 20 client station 140 generates and encrypts a reply message 

station 140, who will be referred to below as the second user, with the session key in step 297. The encrypted reply 

doesnothaveaspHtprivatekeyandmerefo^^ message is communicated to the client station 110 via 

full private key network 60 as message 4\ The encrypted reply message can 

As shown, the system includes a personal computer, „ * decrypted Jby the client ^station 110 applying the session 

workstation or other type of dient statioT 110 operaidby 25 *cy tnereto. The ^session key can be utihzed by the cbent 
L user and client station 140 operated by anomeTuVer. The 110 and 140 throughout me commuMcation session 

stations 110 and 140 are connected to network 60 which is t0 encrypt and decrypt messages exchanged between the first 

identical to the network shown in FIG. 1. The network could, and s* 00 ™ uscrs - 

for example, be the INTERNET. The stations 110 and 140 Referring now to FIG. 4, encrypted data storage according 

can communicate with a security server 120, and a file server 30 to the present invention will be described. In step 300 the 
150 via the network. user directs the client station 110 to encrypt a request for 

A YAKSHA database 130 is directly linked to the security * crypto-key. to be used in encrypting data to be stored on 

server 120. For clarity, the ticket granting server of the type file server 150, by applying the first user s first private key 

shown in FIG. 1 is not depicted but could, if desired, be „ Portion to the request. In step 310 the encrypted 1 request is 

easily included within the system and utilized in the manner transmitted via the network 60 as message 5 to the security 

previously described in application Ser. No. 0M3S.128. A server 120. In response to the reedptof the encrypted 

f file server 160 is also a user of the system and is connected request, security server 120, in step 320,jFetneves the second 

tto the system via the network 60. P^on of the toti^*j*^1avjri the first user s 

Each user, including each server, has an asymmetric „ pubHc key from t^Vaksha database{l30 and apphes the 

crypto-key assigned to it The key is made up of a public- *° retrieved keys to the encrypted communication to decrypt 

private key pair, the public portion of which is known or ^ e request. 

available to all users as discussed above. The private portion Next, in step 330, the security server 120 generates a_ 

of the key of user of client station 110 is divided into a first symmetric crypto-key. In step 340 the security server 120 

portion which is known only to that user and a second 45 encrypts the crypto-key with the second portion of the file 

portion which is stored on the YAKSHA database 130 and server's private key and the file server's public key to form 

accessible only to the security server 120. a* encrypted symmetric crypto-key. In step 350, the^ 

Referring now to FIG. 3, session key distribution in encrypted crypto-key is transmitted as message 6' to the 

accordance with the present invention will now be e^ent station 110. 

described. In step 200 the first user directs the client station 50 The client station 110 transmits the encrypted crypto-key, * 

U0 to encrypt a request to establish a communication along with the data to be stored, to the file server 150 as 

session with a second user at client station 140 by applying message 7, in step 360. The data could of course be! 1 

the first user's first private key portion to the message. In encrypted with, for example, a session key before transmis- 

step 210, the encrypted message is transmitted via the sion to file server 150. The identification of the first user isj 

network 60 as message 1 ! to the security server 120. In 35 provided typically in the form of a Certification of the type 

response to the receipt of the request, in step 220 security discussed above. 

server 120 retrieves the second portion of the first user's The file server 150 decrypts the encrypted crypto-key I 

private key and the first user's public key from the Yaksha with the first portion of the file server's private key in step 1 

database 130 and applies the retrieved keys to the encrypted 370, The file server 150, in step 380, encrypts the data to be 

message to decrypt the request $0 stored with the crypto-key. In step 390, the file server stores 

Responsive to the request in step 230 the security server the encrypted data and the encrypted crypto-key in memory, 

generates a symmetric session key. If desired, the session Accordingly, the data has now been stored by the file server 

key could be pre-generated and stored on security server 120 150 in an encrypted form, 

or the Yaksha database 130; however it is generally prefer- Turning now to FIG. 5, the recovery of the encrypted data 

able to generate session keys when required. 65 from storage will be described. In step 500. the first user 

In step 240, the security server 120 encrypts the session directs the client station 110 to encrypt a request for the data 

key with the second portion of the first user's private key and by applying the user* s first private key portion to the request 
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thereby forming a first encrypted message. In step 510 the 7 depict a computer which could be utilized as either of 

first encrypted message is transmitted via me network 60 as client stations 110 or 140. each of these processors will be 

message 8' to the security server 120. In response to the driven to operate as described below by a different set of 

receipt of the encrypted message, security server 120, in step programming instructions even though the hardware com- 

520, retrieves the second potion of the first user's private 5 may be identical. It will also be recognized by those 

key and the first user's public key from the Yaksha database 'kuled » *e art that only routine prograinming is required 

130 and applies the relieved keys to the encrypted com- to implement the required prograrnnung instructions. 

_ . . w ^ To avoid unnecessary duplication the computers depicted 

munication to decrypt the request. ^ ^ ^ u wUJ described Aly with refer- 

Next, in step 530, the security server 120 encrypts the cncc to prrjs 6 and 7. It should be understood that the 
request with the second portion of the first user** private keyW° correspon ding components of the computers depicted in 
and the first user's public key, to form a second encrypted j pigs, 8-11 will be similar. Further, since the computer 
message. In step 540, the second encrypted message is I com po ncn t s and configurations are conventional, routine 
transmitted as message 91 to the client station 110 vi§_J operations performed by the depicted components will gen- 
network 60. erally not be described, such operations being well under- 

The client station 110. in step 550, further encrypts the 15 stood in the art 

second encrypted message with the first portion of the first Preferably, each of the computers initially stores its 

user's private key, to form a third encrypted message. The unique programming instructions on its ROM or hard disk, 

client station 110 then transmits the third encrypted message The private key portion of the user's long term crypto-key 

to the file server 150 as message 10' in step 560. ^ which the user retains may, if desired, be stored in each 

The file server 150, in step 570 retrieves the request by computer on the hard disk. However, this should only be 

applying the first user's public key to the third encrypted necessary for those user's who do not have an associated 

message. It will be noted that the file server is assured of the split private key or have their full private key on a smart 

validity of the request because in order to decrypt the third card. Session keys are preferably stored on the RAM. 

encrypted message both the first user and the security server ^ Additionally, the programming instructions other informa- 

120 must have signed a portion of the first user's private key tion stored initially on the ROM or hard disk will typically 

to the request be downloaded to the RAM during operation of the com- 

The file server 150 retrieves the encrypted symmetric puter and accessed during operations directly from the 

crypto-key and encrypted data from storage in step 580. The RAM. The computer 600', Le„ the computer which serves as 

file server 150 first decrypts the encrypted crypto-key by 30 the security server 120, could if desired include the Yaksha 

applying its first private key portion thereto, and thereby database 130 stored preferably on its hard disk, 

obtains the crypto-key in step 585. In step 590, the file server Referring now to FIGS. 6 and 7, the computer 600 

150 decrypts the encrypted data with the crypto-key. The includes a main unit 610 with slots 611, 612 and 613, 

data can now be transmitted, in step 595 by the file server respectively provided for loading prograniming or data from 

150 via the network 60 to the client server 110 as message 35 a floppy disc 726a, CD 728a and smart card 729a onto the 

jji computer 600. The computer 600 also includes a keyboard 

HQS 6-11 depict computers suitable for use as the client «0 and mouse 640 which serve as user input devices. A 

stations 110 or 140, the security server 120 and the file server monitor display 620 is also provided to visually commum- 

150 shown in FIG. 2. The computers are preferably com- cate information to the user. 

raertially available personal computers or high-powered 40 As depicted in FIG. 7, The computer 600 has a main 

work stations. Each computer's processor could, for processor 700 which is interconnected via bus 710 with 

example, be a Pentium™ processor. Any commercially various storage devices including RAM 720, ROM 722 and 

available keyboard and/or mouse and monitor can be uti- hard disk 724*, all of which serve as a storage medium on 

lized. A high-speed network interface, including a high- which computer programming or data can be stored and 

speed modem, is preferred although not mandatory. The 45 accessed by the processor 700. The main processor 700 is 

depicted configuration of the computers is exemplary. One also interconnected via bus 710 with various other devices 

or more of the computers could, if desired, also or altcma- such as the floppy disc drive 726, the CD drive 728 and the 

tively include other components (not shown), such as an card reader 729 which are capable of being controlled by 

optical storage medium. Any number configurations could drive controller 750 to read computer programming or data 

be -suitable for implementing the invention so long as y> stored on a flo PP v dsc 726a, CD 728a or smart card 729a 

sunlcieut storage capacity and processing capability are when inserted into the appropriate slot 611, 612 or 613 in the 

provided. All of the computers are depicted as having similar unit 610. By accessing the stored computer programming 

hardware configurations, although this is not necessarily the the processor 700 is driven to operate in accordance with the 

case. For example, as will be well understood by the skilled present invention. 

artisan, it may be desirable for components of the respective 55 The processor 700 is also operatively connected to the 

computers to have attributes such memory storage capacity, keyboard 630 and/or mouse 640, via input interface 730. The 

data transmission rates and processing speeds which differ. display monitor 620 is also interconnected to the processor 

In this regard, typically the security and file servers 120 and 700, via display interface 740, to facilitate the display of 

150 would include a much larger hard drive and a faster information to the user. The network interface 760 is pro- 
processor than the client stations 110 and 150, eo vided to interconnect the processor 700 to the network 60 

Each of the computers differ in their respective program- depicted in FIG. 2 and accordingly allow cormnunications 

mine instructions so that each of the computers is uniquely between the computer 600 and other network devices. Since 

driven to operated in accordance with the present invention. the computer 600 serves as the client station 110 or 140, the 

That is, the functiooality of each of the computers described network interface allows communications between client 
with reference to FIGS. 6-11 varies from mat of the other 65 stations 110 and 140 and with network servers 120 and 150. 

computers due to the prograinming instructions which drive The Inter-operation of the various components of the 

its operation. It will be understood that although FIGS. 6 and computers depicted in FIGS. 6-11 in implementing the steps 
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described above with reference to FIGS. 3-5 will now be operate in a similar manner to that described above in 
described. Referring first to FIGS. 6 and 7, in order for the requesting a symmetric crypto-key to be used to store 
first user to request a session key for a session with the encrypted data as described in steps 300-310 of FIG. 4. The 
second user from the security server 120, the user enters a security server shown in FIGS. 8 and 9 will likewise operate 
command using the keyboard 630 or the mouse 640,respon- 5 in the similar manner to that described above in decrypting 
sive to which the computer programming stored, for the request and generating a symmetric crypto-key to be 
example, initially on ROM 722 and downloaded to RAM used for file storage as described in steps 320-330. 
720 during operation of the system, drives the processor 700 xh e processor 700* will next be driven by its program- 
to encrypt the session key request with the first portion of the ming instructions to retrieve the second portion of the file 
first user's private key which may be either retrieved from 10 server private key from the hard disk 124a' and to apply this 
storage on. for example, hard disk 724a, or entered on the key portion to encrypt the generated symmetric crypto-key 
keyboard by the user, as described in step 200 of FIG. 3, as described in step 340. The processor 700' then drives the 

The processor, in accordance with the stored program- network interface 760* to transmit the encrypted crypto-key 
ming instructions, drives the network interface 760 to trans- to client station 110 via network 60 as described in step 350. 
mit the encrypted request for a session key to the security 15 Returning to FIGS. 6 and 7. the encrypted crypto-key is 
server 120 as described in step 210 above. This step may be received by the processor 700 via network interface 760. 
performed automatically or may require a prompting from D a ta is retrieved from storage on, for example, RAM 720 in 
the user via the keyboard 630 or mouse 640. An indication accordance with instructions entered by the user via key- 
that the request has been transmitted may be displayed on board 630 or mouse 640 and transmitted along with the 
the display 620. 20 encrypted crypto-key by the network interface 760 to the file 

Referring now to FIGS. S and 9, the encrypted request is server 150 as discussed in step 360. 

received by the processor 700' via the network interface Referring now to FIGS. 10 and 11, the processor 700" 

760'. In accordance with programmed instructions initially receives the data and encrypted crypto-key via network 

stored on ROM 722' and downloaded to RAM 720' during interface 760". The processor 700 H is driven by its stored 

system operation. The processor is driven to retrieve the 25 programmed instructions to retrieve the first portion of the 

second portion of the first user's private key and the first file server's private key from storage on, for example, hard 

user's public key from the hard disk 724a' which serves as disk 724<z" and apply this key portion to decrypt the 

the Yaksha database 130 of FIG. 2, and to apply the retrieved encrypted crypto-key as described in step 370. The proces- 

fccys as described in step 220 to decrypt the encrypted sor 700" is then driven to encrypt the data with the sym- 

request. metric crypto-key and store the data and encrypted crypto- 

Responsive to the request, the processor 700' is driven to key on hard disk 724a" as described in steps 380-390. 

generate a session key as described in step 230 and to Referring again to FIGS. 6 and 7. the computer 600 will 

encrypt the generated session key with the second portion of operate in a manner similar to mat described above in 

the first user's private key and the first user's public key as 35 encrypting and transmitting a data request to the security 

discussed above with reference to step 240. In accordance server 120 as described in steps 500-510. Similarly, the 

with its programmed instructions, the processor 700* also computer 600* will operate as previously described in 

retrieves, from the hard disk 724a', the second user's public decrypting the encrypted request as discussed in step 520. 

key and applies this key to separately encrypt me session key The processor 700* will then retrieve the second portion of 

as described in step 250. The processor 700' now drives the w the first user's private key from the hard disk 720a'. As 

network interface 760 to transmit the first and second described in step 530, the processor 700\ driven by its 

encrypted session keys to client station 110 via the network programming instructions, is driven to encrypt the data 

60 as discussed in step 260. request with the retrieved key portion. The processor 700' 

Referring again to FIGS. 6 and 7, the first and second then drives the network interface 760' to J™"* the 

encrypted sessionkeys are received by the processor 700 via 45 encrypted data request to the client station 110 as indicated 

the network interface 760. The first encrypted session key is in step 540. 

decrypted by processor 700 in accordance with its pro- Referring to FIGS. 6 and 7, the processor 700 receives the 
grammed instructions as described in step 270. The proces- encrypted data request via the network interface 760. The 
sor 700 is next driven to encrypt a communication from the processor 700, in accordance with its pro^amrned 
first user, which has been entered via the keyboard 630 and 50 instructions, applies the first portion of the first user's private 
displayed on the display 620, with the session key as key to the encrypted data request received from the security 
discussed in step 280. The processor 700 now drives the server 120 to further encrypt the data request as disclosed in 
network interface 760 to transmit the encrypted message and step 550. The further encrypted data request is men trans- 
second encrypted session key to the client station 140 mittcd by network interface 760. in accordance with signals 
processor as indicated in step 285. The client station 140 55 from the processor 700, via network interface to the file 
processor is now driven by its stored prograrnining instruc- server 150, as described in step 560. 
tions to decrypt the second encrypted session key and to then Referring now to FIGS. 10 and 11, the processor 700" 
apply the session key to decrypt the encrypted communica- receives the fully encrypted data request via network inter- 
tion from the first user as discussed in steps 290-295. The face 760". The processor 700", in accordance with its 
client station 140 processor is also driven to encrypt a reply go programmed instructions, retrieves the first user's public key 
message which is input via the station 140 keyboard by the from, for example, the hard disk 724a", and applies this key 
second user with the session key and to drive the network to decrypt the data request which has been received from the 
interface of client station 140 to transmit the encrypted reply first user, as discussed in step 570 above. In response to the 
to client station 110 via the network 60 as described in step request, the processor 700" is driven to retrieve the stored 
297. 65 encrypted crypto-key and encrypted data along with the 
Referring again to FIGS. 6 and 7, the computer 600 will second portion of the file sever' s private key from the hard 
in accordance with its stored programming instructions, disk 7240" as described in step 580. The processor 700", in 
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accordance with its programmed instructions, decrypts the 
encrypted crypto- key and then the encrypted data, as noted 
in steps 585-590. The processor 700" next drives the net- 
work interface 760" to transmit the data to the client station 
110 as indicated in step 595. 

As described above the present invention provides for 
exchanges of symmetric session crypto- keys between uses 
of virtual area networks, such as the INTERNET, who utilize 
different crypto-systems. The present invention additionally 
provides enhanced security for data stored on file servers 
and other storage devices directly or indirectly connected to 
such networks. 

It will also be recognized by those skilled in the art that 
while the invention has been described above in terms of 
preferred embodiments it is not limited thereto. Various 
features and aspects of the above described invention may 
be used individually or jointly. Further, although (he inven- 
tion has been described in the context of their use in a 
particular environrnent, i.e„ the INTERNET, those skilled in 
the art will recognize that the present invention can be 
beneficially utilized in any environment in which not all 
users have a split private key or which would benefit from 
enhance security of stored files and data. Accordingly, the 
claims set forth below should be construed in view of the full 
breath and spirit of the invention as disclosed herein. 

I claim: 

1. A method for securing stored files in a system having 
a plurality of system users, each said user having an asso- 
ciated asymmetric crypto-key with a public key portion and 
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3. A method according to claim 2, further comprising the 
steps of obtaining the first retrieve file request by applying 
the second private key portion of the second user crypto-key 
to the first encrypted retrieve file request, and directing the 
data to the second user. 

4. A method according to claim 1, wherein said first user 
is a file server. 

5. A method according to claim 1. wherein each said key 
portion has a bit length and the bit length of each first private 
key portion is smaller than the bit length of the associated 
second private key portion. 

6. A method according to claim 1, wherein the bit length 
of each said first private key portion is between 56 and 72 
bits. 

7. A method according to claim 1, wherein (i) each said 
private key portion is comprised of a private exponent and 
modulus N which is a product of a plurality of numbers 
within a set of large prime numbers, (ii) each said public key 
portion is comprised of a public exponent and the modulus 
N and (Hi) the modulus N has a bit length and the bit length 
of each said private key portion is no larger than fifteen 
percent of the bit length of the modulus N but not less than 
56 bits. 

8. A system for securing stored files having a plurality of 
system users, each said user having an associated asymmet- 
ric crypto-key with a public key portion and a corresponding 
private key portion, each public key portion being accessible 
to the plurality of system users, each private key portion 
having a first private key portion known only to the asso- 
ciated user and a corresponding second private key portion 



a corresponding private key portion, each public key portion 30 ^ own 0 dy to a security server, conirnising: 



being accessible to the plurality of system users, each private 
key portion having a first private key portion known only to 
the associated user and a corresponding second private key 
portion known only to a security server, comprising the steps 
of: 

identifying data for storage; 

encrypting a symmetric crypto-key with the second pri- 
vate key portion of a first user crypto-key associated 
with a first user to form an encrypted key message; 

obtaining the symmetric crypto-key by applying the first 
private key portion of the first user crypto-key to 
decrypt the encrypted key message; 

encrypting said data with the symmetric crypto-key to 
form an encrypted file; and 

storing the encrypted file and said encrypted key message, 

2. A method according to claim 1, further comprising the 
steps of: 

encrypting a first retrieve file request with the first private 
key portion of a second user crypto-key associated with 
a second user to form a first encrypted retrieve file 
request; 

encrypting the first encrypted retrieve file request with the 
second private key portion of the second user crypto- 
key to form a second encrypted retrieve file request; 55 
and 

obtaining the first retrieve file request by applying the 
public key portion of the second user crypto-key to 
decrypt the second encrypted retrieve file request; 

retrieving the encrypted file and the encrypted key mes- 
sage from storage responsive to said retrieve file 
request; 

obtaining the symmetric crypto-key by applying the first 
private key portion of the first user crypto-key to 
decrypt the retrieved encrypted key message; and 

obtaining the data by applying the symmetric crypto-key 
to decrypt the retrieved encrypted file. 
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a security server configured to encrypt a symmetric 
crypto-key to form an encrypted key message; 

a file server, having an associated file server crypto-key, 
configured to encrypt data with the symmetric crypto- 
key to form an encrypted file; and 

storage media configured to store the encrypted file and 
said encrypted key message; 

wherein, (i) the security server is operable to encrypt the 
symmetric crypto-key with the second private key 
portion of the file server crypto-key to form the 
encrypted key message, and (ii) the file server is 
operable to obtain the synimetric crypto-key by apply- 
ing the first private key portion of the file server 
crypto-key to decrypt the encrypted key message. 

9. A system according to claim 8, further comprising: 

a user processor configured to encrypt a first retrieve file 
request with the first private key portion of a user 
crypto-key to form a first encrypted retrieve file 
request; 

wherein, the security server encrypts the first encrypted 
retrieve file request with the second private key portion 
of the user crypto-key to form a second encrypted 
retrieve file request and 

wherein, the file server (i) obtains the first retrieve file 
request by applying the public key portion of the user 
crypto-key to decrypt the second encrypted retrieve file 
request (ii) directs the retrieval of the encrypted file 
and the encrypted key message from the storage media 
responsive to the retrieve file request, (iii) obtains the 
symmetric crypto-key by applying the first private key 
portion of the file server crypto-key to decrypt the 
retrieved encrypted key message, and (iv) obtains the 
data by applying the symmetric crypto-key to decrypt 
the retrieved encrypted file. 

10. A system according to claim 9. wherein said security 
server obtains the first retrieve file request by applying the 
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second private key portion of the user crypto-key to the first 
encrypted retrieve file request, and the file server directs the 
data to the user processor. 

11. A system according to claim 8, wherein each said key 
portion has a bit length and the bit Length of each first private 
key portion is smaller than the bit length of the associated 
second private key portion. 

12. A system according to claim ft. wherein the bit length 
of each said first private key portion is between 56 and 72 
bits. 

13. A system according to claim 8, wherein (i) each said 
private key portion is comprised of a private exponent and 
modulus N which is a product of a plurality of numbers 
within a set of large prime numbers, (ii) each said public key 
portion is comprised of a public exponent and the modulus 
N and (iii) the modulus N has a bit length and the bit length 
of each said private key portion is no larger than fifteen 
percent of the bit length of the modulus N but not less than 
56 bits. 

14. An article of manufacture for securing stored files in 
a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a security 
server, comprising: 

computer readable storage medium; and 

computer prograrnming stored on said storage medium; 

wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 

decrypt a symmetric crypto-key encrypted with the sec- 
ond private key portion of a user crypto-key associated 
with a user of said computer by applying the first 
private key portion of the user crypto-key, to thereby 
obtain the symmetric crypto-key; 

encrypt data with the symmetric crypto-key to form an 
encrypted file; and 

store the encrypted file and the encrypted symmetric 
crypto-key. 

15. An article of manufacture according to claim 14. 
wherein said stored computer programming is configured to 
be readable from said computer readable storage medium by 
the computer to thereby cause said computer to operate so as 

to: 

decrypt a retrieve file request encrypted with the first and 
the second private key portion of a second user crypto- 
key by applying the public key portion of said second 
user crypto-key to obtain the retrieve file request; 

retrieve the encrypted file and the encrypted symmetric 
crypto-key from storage responsive to said retrieve file 
request; 

decrypt the retrieved encrypted symmetric crypto-key by 
applying the first private key portion of the user crypto- 
key to obtain the symmetric crypto-key; and 

decrypt the retrieved encrypted file by applying the sym- 
metric crypto-key to obtain the data. 

16. An article of manufacture according to claim 15, 
wherein said stored computer programming is configured to 
be readable from said computer readable storage medium by 
the computer to thereby cause said computer to operate so as 
to direct the data to the second user. 
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17. A programmed computer for securing stored files in a 
system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a security 
server, comprising: 
a processor for decrypting a symmetric crypto-key 
encrypted with the second private key portion of a user 
crypto-key by applying the first private key portion of 
the user crypto-key, to thereby obtain the symmetric 
crypto-key, and encrypting data with the symmetric 
crypto-key to form an encrypted file; 
storage media for storing the encrypted file and the 

encrypted symmetric crypto-key. 
1ft. A programmed computer according to claim 17, 
wherein: 

the processor is adapted to decrypt a retrieve file request 
encrypted with the first and the second private key 
portion of a second user crypto-key by applying the 
public key portion of said second user crypto-key to 
obtain the retrieve file request, to retrieve the encrypted 
file and the encrypted symmetric crypto-key from the 
storage media, to decrypt the retrieved encrypted sym- 
metric crypto-key by applying the first private key 
portion of the user crypto-key to obtain the symmetric 
crypto-key, and to decrypt the retrieved encrypted file 
by applying the symmetric crypto-key to obtain the 
data; 

the storage media is adapted to store the first private key 

portion of the user crypto-key. 
19. A method for session key distribution in a system 
having a plurality of system users, each said user having an 
associated asymmetric crypto-key with a public key portion 
and a corresponding private key portion, each public key 
portion being accessible to the plurality of system users, the 
private key portion of a first user having a first private key 
40 portion known only to the first user and a corresponding 
second private key portion known only to a security server 
and the private key portion of a second user known only to 
the second user, comprising the steps of: 

encrypting a symmetric session key request with the first 
private key portion of the first user crypto-key to form 
a first encrypted message; 
decrypting the first encrypted message by applying the 
second private key portion of the first user crypto-key 
to thereby obtain the session key request; 
encrypting a symmetric session crypto-key with the sec- 
ond private key portion of the first user crypto-key to 
form a first encrypted key message; 
encrypting the symmetric session crypto-key with the 
public key portion of the second user crypto-key to 
form a second encrypted key message; 
decrypting the first encrypted key message by applying 
the first private key portion of the first user crypto-key 
to obtain the symmetric session crypto-key for the first 
user; 

decrypting the second encrypted key message by applying 
the private key portion of the second user crypto-key to 
obtain the symmetric session crypto-key for the second 
user; 

encrypting and decrypting communications between said 
first user and said second user with the symmetric 
crypto-key. 
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20. A method according to claim 19> wherein said (i) each 
said private key portion is comprised of a private exponent 
and modulus N which is a product of a plurality of numbers 
within a set of large prime numbers, (ii) each said public key 
portion is comprised of a public exponent and the modulus 5 
N and (iii) the modulus N has a bit length and the bit length 
of each said private key portion is no larger than fifteen 
percent of the bit length of the modulus N but not less than 
56 bits. 

21. A system for session key distribution having a plu- to 
rality of system users, each said user having an associated 
asymmetric crypto-key with a public key portion and a 
corresponding private key portion, each public key portion 
being accessible to the plurality of system users, the private 
key portion of a first user having a first private key portion 15 
known only to the first user and a corresponding second 
private key portion known only to a security server and the 
private key portion of a second user known only to the 
second user, comprising: 

a security server configured to encrypt a symmetric ses- 20 
sion crypto-key with the second private key portion of 
the first user crypto-key to form a first encrypted key 
message and to encrypt the symmetric session crypto- 
key with the public key portion of the second user 
crypto-key to form a second encrypted key message, 23 
and having an associated storage medium for storing 
the second private key portion of the first user crypto- 
key and the public key portion of the second user 
crypto-key; ^ 

a first user processor configured to decrypt the first 
encrypted key message by applying the first private key 
portion of the first user crypto-key to obtain the sym- 
metric crypto-key, and to encrypt communications to 
and decrypt communications from the second user with ^ 
the symmetric crypto-key; 

a second user processor configured to decrypt the second 
encrypted key message by applying the private key 
portion of the second user crypto-key to obtain the 
symmetric crypto-key, and to encrypt communications ^ 
to and decrypt communications from the first user with 
the symmetric crypto-key. 

22. A system according to claim 21, wherein (i) each said 
private key portion is comprised of a private exponent and 
modulus N which is a product of a plurality of numbers 4J 
within a set of large prime numbers, (ii) each said public key 
portion is comprised of a public exponent and the modulus 

N and (iii) the modulus N has a bit length and the bit length 
of each said private key portion is no larger than fifteen 
percent of the bit length of the modulus N but not less than ^ 
56 bits. 

23. An article of manufacture for session key distribution 
in a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 3J 
public key portion being accessible to the plurality of system 
users, the private key portion of a first user having a first 
private key portion known only to the first user and a 
corresponding second private key portion known only to a 
security server and the private key portion of a second user 
known only to the second user, comprising: 



20 

computer readable storage medium; and 
computer programmiDg stored on said storage medium; 
wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 
decrypt a first message encrypted with the first private key 
portion of the first user crypto-key by applying the 
second private key portion of the first user crypto-key 
to thereby obtain a session key request; 
encrypt a symmetric crypto-key with the second private 
key portion of the first user crypto-key to form a first 
encrypted key message; and 
encrypt the symmetric crypto-key with the public key 
portion of the second user crypto-key to form a second 
encrypted key message; 
wherein, the symmetric crypto-key is obtainable by the 
first user by applying the first private key portion of the 
first user crypto-key to the first encrypted key message 
and by the second user by applying the private key 
portion of the second user crypto-key to the second 
encrypted key message so that the symmetric crypto- 
key is available to encrypt and decrypt communications 
between said first and said second users. 
24. A programmed computer for session key distribution 
in a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, the private key portion of a first user having a first 
private key portion known only to the first user and a 
corresponding second private key portion known only to a 
security server and the private key portion of a second user 
known only to the second user, comprising: 
a processor for decrypting a first message encrypted with 
the first private key portion of the first user crypto-key 
by applying the second private key portion of the first 
user crypto-key to thereby obtain a session key request, 
for generating a symmetric crypto-key, for encrypting 
the symmetric crypto-key with the second private key 
portion of the first user crypto-key to form a first 
encrypted key message, and for encrypting the sym- 
metric crypto-key with the public key portion of the 
second user crypto-key to form a second encrypted key 
message; and 

storage media for storing the second private key portion 
of the first user crypto-key and the public key portion 
of the second user crypto-key. wherein, the symmetric 
crypto-key is obtainable by the first user by applying 
the first private key portion of the first user crypto-key 
to the first encrypted key message and by the second 
user by applying the private key portion of the second 
user crypto-key to the second encrypted key message 
so that the symmetric crypto-key is available to encrypt 
and decrypt communications between said first and said 
second users. 

* * * * * 
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